Thursday, February 25, 2016

Episode 1: Passwords

So let's jump right in and talk passwords. 

Rule #1, DO NOT, I repeat, DO NOT use the same password or a variation of that password for all the sites you log into. Once a hacker has that password, they can make a mess of every area of your digital life from email to online banking to social media. 

Rule #2, DO NOT use names or real words found in the dictionary. password cracking program is a tool that runs through a list of possible passwords, one-by-one, until it hits on the right combination; it can process tens of thousands of different passwords in one second. The list of possible passwords the program uses can include commonly used passwords, dictionary words, and information specific to you, such as your birth date so try to avoid these. 

Rule #3, The longer the password the better. Use the maximum length that each website will allow.

Here's an example of the type of password you should be using (no this is not one of mine so you won't get anywhere with it.): 
y?c;FPp/_zrcy&Y)v9r%Agk`DVh6D[ti

Ok, now I know what you're thinking: "I can't possibly remember a password like that much less having a different one of those for each site?" I've got great news for you, you don't have to. There are several reputable, secure online password management sites that can take care of that for you. All you have to do is copy and paste from one of those sites and you only have to remember one master password to get into the management site. Popular sites include, LastPass, Dashlane, Passpack, 1Password, Roboform and there are others. And most of them have a suggestion tool that can generate a password like the one above. Some also come with a backup procedure to keep those passwords always accessible. 

So how do I create a secure master password if I chose to use one of these sites? You're asking some great questions here. One strategy is to use passwords that are built from easily remembered phrases. You take the first letters from each of the words in the phrase, and you also mix in some symbols and numbers in place of certain words, like using & to replace “and.”
Here are a few examples of strong passwords built on phrases:
  • M2010nyri2l15# (“My 2010 new year’s resolution is to lose 15 pounds”)
  • Lmu?i:Wayd4o? (“Life’s most urgent question is: What are you doing for others?”)
  • Iw2Tls&cw2gb! (“I went to Texas last summer and can’t wait to go back!”)
Remember, security vs. convenience. It's a hard choice, but the more convenience you give up, the more secure you will be online and less likely to fall victim to a hacker.


Tuesday, February 23, 2016

Episode 2: Security Questions and Two-Factor Authentication

This episode rides on the coattails of last episode's topic of passwords. Let's start with security questions.

When signing up an account on a website, you've probably had to answer some security questions to help protect your account. These questions may come up when you forget your password and need to reset it or when you're logging into that site for the first time or from a different computer. They may include questions like "What was the first name of your date at your sr. prom?" or "What street did you live on while in the 3rd grade?"

If a person digs deep enough by a simple Google search, they can probably find out a lot of this information. We forget sometimes how much information about us is on the web. You have to treat the answers to these questions as if your own mother is trying to hack into your account so how do you answer them? YOU LIE!!! 

Pull up Google maps, find a one horse town somewhere in Montana, find a random street and that's the street you grew up on in the 3rd grade. Think of a name of someone you've never known before and that's who you went to the prom with. Or if you really want to get clever, you went to prom with "Mailbox".

How do you remember these answers 5 years from now when you get a new computer and have to login to your site for the first time? Let's go back to the online password manager I talked about in the last episode. There should be some kind of Notes field associated with each account you add that you can type these answers into. Or if you're still not sure about a password site, you can password-protect an Excel spreadsheet and put your information in there. But make sure you have it backed up in several places.

Two-Factor Authentication:

I cannot stress how important it is to use Two-Factor Authentication (2FA). 2FA is an extra layer of security that is used in addition to your password for access to certain sites. It will send a random code as a text to your cell phone, or sometimes your email, that you will type in after you've put your password in. Most sites will allow you to do this only one time from a trusted computer so you won't have to do this every time. But even if someone had your password, they would still need your phone to continue logging in. 

A lot of sites offer this: Facebook, Google, Yahoo, PayPal, Dropbox, Amazon, Turbotax and many others. For a complete list, go to https://twofactorauth.org/
I am blown away however that most banks aren't doing this yet.

Please, go turn these on now!!! It's called Login Approvals on Facebook. If you google search "<insert site name here> 2fa", you'll be able to find instructions on how to do it for each site that provides it. But keep all this in mind if for some reason you ever have to get a new cell number.

Sunday, February 21, 2016

Episode 3: Facebook - Identity, Privacy and You

Part of staying secure online is protecting your identity and assessing your privacy. Facebook can be a gold mine for identity thieves, hackers even pedophiles. Taking a run through your Facebook settings can prevent the dark side (Star Wars reference - ha ha) from showing its ugly head.

Assuming that Step 1, you've implemented a password similar to the one in red in Episode 1 and Step 2, turned on Login Approvals (Two Factor Authentication) as described in Episode 2, let's move on:

Step 3 - Friends:
Joe Hacker sent you a friend request. Even though he has 98 mutual friends, if you don't know him, don't accept it. Or send him a message asking how he knows you.

Also, if you have a friend already that sends you a friend request, it could be an impostor. Message your "original" friend and ask about it first. 

Step 4 - Likes:
Careful what you like on Facebook. Example, to like your financial institution shows Joe Hacker or the impostor above where you bank. Now they know what site to target.

Step 5 - Settings:
  • You can do your own privacy audit by clicking the Lock at the top right and clicking "Who can see my stuff". Click View As underneath "What do other people see on my timeline." Right below the search bar, it should show Public and that's what the world sees about you.
  • If you click the Lock again and click on See More Settings, you can go through each of those items and set the preferences you want to set. Example, there's no reason a privacy conscious person would want a search engine to link to their profile. 
  • Your birthday - one of your critical id requirements on just about any form you fill out is your birthday. If I can see how old you are when your birthday comes up, I have a critical piece of your identity puzzle. Click on your page and go to About. Click on Contact and Basic Info on the left. Hover over Birth Year and click Edit. On the Year row, change that view setting to Only Me. 
You young people and parents of young facebookers, it's critical you go through these settings on your child's profile and make sure nothing is set to Public. It wouldn't take long for a stalker to find out everything about your child and use it that info to do harm. Also, kids don't think sometimes and colleges and employers one day will look up what they can about a person and make decisions based on what they see.

These are just some areas to watch out for on Facebook or any other social media site. Lurkers could be out there keeping tabs on you and you don't even know it so take a few minutes to go through every area of your settings and set them accordingly.

Friday, February 19, 2016

Episode 4: Malware & Email

So what is malware? How do you get it and what does it do? 

Malware, short for malicious software, is a tiny viral program that runs on your computer and collects information without you knowing about it. It's main purpose these days is to steal your banking and/or credit card information and passwords. These highly sophisticated cyber criminals can use that information either for themselves or they can sell it on the black market.

Malware can infect your computer in a variety of ways. An infected thumb drive, if inserted, can immediately spread onto your computer, a deceitful website download. Now, there are even criminals who will pay legit websites to host their malware infected ads so be careful there. But two I want to target specifically: Email and Software add-ons.


Software:
On the Internet there is no shortage of free programs, apps and other software that you can download. But free often comes at a cost, and in many cases this means downloading attached “sponsored programs” that are really nothing more than malware. All those toolbars you may have on your browser is most likely malware. When installing one of these free programs, do not get lured into the "Recommended Install" but rather choose the "Custom Install" and read each install screen carefully and choose the right option. If there is not "Custom Install" option, and this program is not from a trusted source, don't bother installing it. 

Email:
Now, we're going to get back to basics here so I'm not trying to insult your intelligence. We have to re-train our way of thinking. Let's say you get an email saying you received a $50 gift card from Kohl's. You even open the email and the page looks legit, looks like a professional ad and everything. But it has links that if you click on, will take you to a site that will install malware. Now let's look at common sense: Maybe you shop at Kohl's, maybe you don't, but do you really think that Kohl's just randomly knows your email address? 

Another example: UPS emails you that your shipment is delayed. First, have you ordered anything that has a UPS tracking number? Again, UPS does not know your email address. Or the IRS, again, these entities are not going to email you UNLESS, you specifically sign up for their newsletters/offers/updates/etc...

So if an email slips through the spam filter and into your inbox, think before you open it. "Do I know this person", "Did I order anything", "How did that Nigerian prince find me to pay me for holding onto his inheritance". Also, look for misspellings or other weird things in the email's subject line.

Prevention:
There are two things I use and both are free. For anti-virus, I use Avast. Another layer of Malware protection is Malwarebytes. Install these and try to do scans about once a month and stay protected.

Saturday, January 23, 2016

Episode 5: Securing Your Wireless Router

Let's talk securing your wireless router. 

So let's pretend there's a car parked just down the road from your house and in that car is a person with a laptop. Let's say they're able to connect to your not-so-secure wireless router. Potentially, they can see and capture everything you're doing from your banking to your emails. Even jumping on any shared drive you may have and spying on your pictures and documents. 

Obviously, this article would be too large to cover every step for every brand of router out there, so we're just going to go over the generics and you can google the how-to's of each step as it pertains to your brand of router. In most cases, you should be able to get into the administrative portal of your router by opening up a web browser and typing in your IP gateway address. This will usually be 192.168.1.1 or 192.168.0.1. Again you may google you brand and see what it is and the default administrative password.

  1. Change that default password.
  2. Allow admin access only from a wired connection.
  3. Make sure the wifi security you're using is WPA2 (not WEP). 
  4. Use AES Encryption.
  5. Make your pre-shared key (your wifi password) as complex as what we discussed in Episode 1 regarding passwords.
  6. Not broadcasting your SSID has not shown any significant security vulnerabilities so you can keep that on.
  7. Keep your router up to date by performing firmware updates. If your router is old, you may consider buying a new one to keep up with the latest security measures.
  8. Disable UPnP (Universal Plug N Play).
  9. Turn on WAN ping blocking or Block ICMP. This should be in the firewall section of your router settings.
  10. If you don't anticipate a lot of guests on your network, enable MAC address filtering. This surely will test your security vs. convenience patience as you will need to find and enter the MAC addresses of every device that connects to your network into your router. You will then need to remember this setting as you get new devices. But this setting will ensure that no one will be able to get onto your network even if they cracked your wifi password. Each device comes with a unique MAC address and there are no two in the world.
  11. Backup your settings.